selective jail restriction controlling in rc.conf
Hello all,
I very much liked the possibillity to easily manage jails via rc.conf.
Unfortunately I was missing some features.
First, there are many security.jail.allow_* sysctl which didn't get
attention.
Second; I needed to allow different things on different jails. For
examply only one distinct jail should habe sysvIPC.
Please find attached a patch wich extends rc.d to my needs.
Some jail_start() modifications were neccessary and some cleanups could
be done in the "Configuring jails:" section (not needed any more) amd in
the _ip_multi processing, since that's not needed any more.
One have to seperatly define ip4 and ip6 addresses. The can be with or
without mask, single oder comma seperated list, doesn't matter, thanks
to the jail_handle_ips_option() coder, it just works :)
Thanks,
-Harry
--- src/etc/defaults/rc.conf2010-06-28 19:22:08.0 +0200
+++ src/etc/defaults/rc.conf2010-07-03 09:54:55.0 +0200
@@ -642,8 +642,13 @@
jail_enable="NO" # Set to NO to disable starting of any jails
jail_list="" # Space separated list of names of jails
jail_set_hostname_allow="YES" # Allow root user in a jail to change its
hostname
-jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
jail_sysvipc_allow="NO"# Allow SystemV IPC use from within a jail
+jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
+jail_raw_sockets_allow="NO" # Prison root can create raw sockets
+jail_chflags_allow="NO" # Processes in jail can alter system file flags
+jail_mount_allow="NO" # Processes in jail can mount/unmount jail-friendly file
systems
+jail_quotas_allow="NO" # The prison root may administer quotas on the jail's
filesystem(s)
+socket_af_allow="NO" # Sockets within a jail are normally restricted to IPv4,
IPv6, local (UNIX), and route.
#
# To use rc's built-in jail infrastructure create entries for
@@ -672,6 +677,14 @@
#jail_example_procfs_enable="NO" # mount procfs in jail
#jail_example_mount_enable="NO"# mount/umount jail's fs
#jail_example_fstab="" # fstab(5) for mount/umount
+#jail_example_allow_set_hostname="NO" # This jail can set hostname
+#jail_example_allow_sysvipc="NO" # This jail can use SystemV IPC
+#jail_example_allow_raw_sockets="NO" # This jail can create raw
sockets (ping)
+#jail_example_allow_chflags="NO" # This jail can alter it's
filesystem flags
+#jail_example_allow_mount="NO" # This jail can mount jail
friendly filesystems
+#jail_example_allow_quotas="NO"# This jail can modify
quotas on it's filesystems
+#jail_example_allow_socket_af="NO" # This jail can use other
protocol stacks than IP4, IP6 and local
+
#jail_example_flags="-l -U root" # flags for jail(8)
##
--- src/etc/rc.d/jail 2010-06-28 19:22:11.0 +0200
+++ src/etc/rc.d/jail 2010-07-03 10:02:34.0 +0200
@@ -21,6 +21,8 @@
start_cmd="jail_start"
stop_cmd="jail_stop"
+jail_restrictions="set_hostname sysvipc raw_sockets chflags mount quotas
socket_af"
+
# init_variables _j
# Initialize the various jail variables for jail _j.
#
@@ -38,7 +40,8 @@
_fdescdir="${_devdir}/fd"
_procdir="${_rootdir}/proc"
eval _hostname=\"\$jail_${_j}_hostname\"
- eval _ip=\"\$jail_${_j}_ip\"
+ eval _ip4=\"\$jail_${_j}_ip4\"
+ eval _ip6=\"\$jail_${_j}_ip6\"
eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\"
eval _exec=\"\$jail_${_j}_exec\"
@@ -122,8 +125,9 @@
debug "$_j procfs enable: $_procfs"
debug "$_j mount enable: $_mount"
debug "$_j hostname: $_hostname"
- debug "$_j ip: $_ip"
- jail_show_addresses ${_j}
+ debug "$_j ip4: $_ip4"
+ debug "$_j ip6: $_ip6"
+# jail_show_addresses ${_j}
debug "$_j interface: $_interface"
debug "$_j fib: $_fib"
debug "$_j root: $_rootdir"
@@ -347,27 +351,27 @@
# Debug print the input for the given _multi aliases
# for a jail for init_variables().
#
-jail_show_addresses()
-{
- local _j _type alias
- _j="$1"
- alias=0
-
- if [ -z "${_j}" ]; then
- warn "jail_show_addresses: you must specify a jail"
- return
- fi
-
- while : ; do
- eval _addr=\"\$jail_${_j}_ip_multi${alias}\"
- if [ -n "${_addr}" ]; then
- debug "${_j} ip_multi${alias}: $_addr"
- alias=$((${alias} + 1))
- else
- break
- fi
- done
-}
+#jail_show_addresses()
+#{
+# local _j _type alias
+# _j="$1"
+# alias=0
+#
+# if [ -z "${_j}" ]; then
+# warn "jail_show_addresses: you must specify a jail"
+# return
+# fi
+#
+# w
Re: selective jail restriction controlling in rc.conf
Harald Schmalzbauer schrieb am 03.07.2010 10:05 (localtime):
...
One have to seperatly define ip4 and ip6 addresses. The can be with or
without mask, single oder comma seperated list, doesn't matter, thanks
to the jail_handle_ips_option() coder, it just works :)
I forgot to change that in defults/rc.conf.
Please find attached the corrected version.
-Harry
--- src/etc/defaults/rc.conf2010-06-28 19:22:08.0 +0200
+++ src/etc/defaults/rc.conf2010-07-03 10:08:31.0 +0200
@@ -642,8 +642,13 @@
jail_enable="NO" # Set to NO to disable starting of any jails
jail_list="" # Space separated list of names of jails
jail_set_hostname_allow="YES" # Allow root user in a jail to change its
hostname
-jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
jail_sysvipc_allow="NO"# Allow SystemV IPC use from within a jail
+jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
+jail_raw_sockets_allow="NO" # Prison root can create raw sockets
+jail_chflags_allow="NO" # Processes in jail can alter system file flags
+jail_mount_allow="NO" # Processes in jail can mount/unmount jail-friendly file
systems
+jail_quotas_allow="NO" # The prison root may administer quotas on the jail's
filesystem(s)
+socket_af_allow="NO" # Sockets within a jail are normally restricted to IPv4,
IPv6, local (UNIX), and route.
#
# To use rc's built-in jail infrastructure create entries for
@@ -658,8 +663,8 @@
#jail_example_hostname="default.domain.com"# Jail's hostname
#jail_example_interface="" # Jail's interface variable to
create IP aliases on
#jail_example_fib="0" # Routing table for setfib(1)
-#jail_example_ip="192.0.2.10,2001:db8::17" # Jail's primary IPv4 and IPv6
address
-#jail_example_ip_multi0="2001:db8::10" # and another IPv6 address
+#jail_example_ip4="192.0.2.10/24,10.1.2.3" # Jail's IPv4
address(es)
+#jail_example_ip6="2001:db8::10,fec0::0:1:2:3" # Jail's IPv6
address(es)
#jail_example_exec_start="/bin/sh /etc/rc" # command to execute in
jail for starting
#jail_example_exec_afterstart0="/bin/sh command" # command to execute
after the one for
# starting the jail.
More than one can be
@@ -672,6 +677,14 @@
#jail_example_procfs_enable="NO" # mount procfs in jail
#jail_example_mount_enable="NO"# mount/umount jail's fs
#jail_example_fstab="" # fstab(5) for mount/umount
+#jail_example_allow_set_hostname="NO" # This jail can set hostname
+#jail_example_allow_sysvipc="NO" # This jail can use SystemV IPC
+#jail_example_allow_raw_sockets="NO" # This jail can create raw
sockets (ping)
+#jail_example_allow_chflags="NO" # This jail can alter it's
filesystem flags
+#jail_example_allow_mount="NO" # This jail can mount jail
friendly filesystems
+#jail_example_allow_quotas="NO"# This jail can modify
quotas on it's filesystems
+#jail_example_allow_socket_af="NO" # This jail can use other
protocol stacks than IP4, IP6 and local
+
#jail_example_flags="-l -U root" # flags for jail(8)
##
--- src/etc/rc.d/jail 2010-06-28 19:22:11.0 +0200
+++ src/etc/rc.d/jail 2010-07-03 10:02:34.0 +0200
@@ -21,6 +21,8 @@
start_cmd="jail_start"
stop_cmd="jail_stop"
+jail_restrictions="set_hostname sysvipc raw_sockets chflags mount quotas
socket_af"
+
# init_variables _j
# Initialize the various jail variables for jail _j.
#
@@ -38,7 +40,8 @@
_fdescdir="${_devdir}/fd"
_procdir="${_rootdir}/proc"
eval _hostname=\"\$jail_${_j}_hostname\"
- eval _ip=\"\$jail_${_j}_ip\"
+ eval _ip4=\"\$jail_${_j}_ip4\"
+ eval _ip6=\"\$jail_${_j}_ip6\"
eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\"
eval _exec=\"\$jail_${_j}_exec\"
@@ -122,8 +125,9 @@
debug "$_j procfs enable: $_procfs"
debug "$_j mount enable: $_mount"
debug "$_j hostname: $_hostname"
- debug "$_j ip: $_ip"
- jail_show_addresses ${_j}
+ debug "$_j ip4: $_ip4"
+ debug "$_j ip6: $_ip6"
+# jail_show_addresses ${_j}
debug "$_j interface: $_interface"
debug "$_j fib: $_fib"
debug "$_j root: $_rootdir"
@@ -347,27 +351,27 @@
# Debug print the input for the given _multi aliases
# for a jail for init_variables().
#
-jail_show_addresses()
-{
- local _j _type alias
- _j="$1"
- alias=0
-
- if [ -z "${_j}" ]; then
- warn "jail_show_addresses: you must specify a jail"
- return
- fi
-
- while : ; do
- eval _addr=\"\$jail_${_j}_ip_multi${alias}\"
- if [ -n "${_addr}" ]; th
[Need Help]isboot (iSCSI boot driver) version 0.2.1
Hi all, I uploaded isboot 0.2.1. Now isboot supports R2T command and non-immediate mode. I believe that the compatibility of iSCSI target is improved. Please check it with your iSCSI target and NIC. Also this version supports task queue, which improves performance. My test machine got read 74MB/s, write 60MB/s (at bs=1m). Notes/Known Issues/Limitations: FreeBSD can't use transfer length > 64KB. It seems CAM tag is used only 2 of 64 tags. I don't know a reason, but MAXPHYS limit? How to build/upgrade: # cd /usr/src # tar xvf /path/to/iscsi-2.2.4.tar.gz # tar xvf /path/to/isboot-0.2.1.tar.gz # make buildkernel # make installkernel or # cd /usr/src/sys/modules/iscsi/isboot # make obj # make depend # make clean # make all # make install After installation, please reboot the server to take effect. Confirm the log shows "iSCSI boot driver version 0.2.1". What's new?: * support CHAP/Mutual CHAP * add task queue * R2T command and non-immediate mode Performance(without digest): # dd if=/dev/da4 of=/dev/null bs=1m count=1k 1024+0 records in 1024+0 records out 1073741824 bytes transferred in 14.374117 secs (74699672 bytes/sec) # dd if=/dev/zero of=/dev/da4 bs=1m count=1k 1024+0 records in 1024+0 records out 1073741824 bytes transferred in 17.823493 secs (60243064 bytes/sec) Download links: http://www.peach.ne.jp/archives/isboot/isboot-0.2.1.tar.gz Download links(for testing purpose only): http://www.peach.ne.jp/archives/isboot/demo/FreeBSD-7.3-RELEASE-amd64-isboot-0.2.1.iso http://www.peach.ne.jp/archives/isboot/demo/FreeBSD-7.3-RELEASE-i386-isboot-0.2.1.iso http://www.peach.ne.jp/archives/isboot/demo/FreeBSD-8.1-RC2-amd64-isboot-0.2.1.iso http://www.peach.ne.jp/archives/isboot/demo/FreeBSD-8.1-RC2-i386-isboot-0.2.1.iso http://www.peach.ne.jp/archives/isboot/demo/unionfs-mkisboot.sh gPXE + isboot + istgt(for reference): http://lists.freebsd.org/pipermail/freebsd-scsi/2010-June/004432.html Previous versions: http://lists.freebsd.org/pipermail/freebsd-scsi/2010-June/004431.html http://lists.freebsd.org/pipermail/freebsd-scsi/2010-June/004425.html I hope this helps you. Enjoy it. Daisuke Aoyama ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: selective jail restriction controlling in rc.conf
On Sat, 3 Jul 2010, Harald Schmalzbauer wrote: Hallo Harald, Harald Schmalzbauer schrieb am 03.07.2010 10:05 (localtime): ... One have to seperatly define ip4 and ip6 addresses. The can be with or without mask, single oder comma seperated list, doesn't matter, thanks to the jail_handle_ips_option() coder, it just works :) I forgot to change that in defults/rc.conf. Please find attached the corrected version. there is currently an ongoing discussion about jail configuration on the freebsd-jail@ mailing list: http://lists.freebsd.org/pipermail/freebsd-jail/2010-June/thread.html#1308 I think your comments (and patches) are better sent there, rather than to sta...@. Gruesse, Bjern -- Bjoern A. ZeebFrom August on I will have a life. It's now up to you to do the maths and count to 64. -- Bondorf, Germany, 14th June 2010 ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Atheros AR9280 on 8.1-RC2 - unusable
I recently upgraded a system of mine with an Atheros AR9280 to FreeBSD 8.1-RC2. Upon booting, the system log keeps getting appended with entries that state: ath0: bb hang detected (0x80) and ath0: ath_chan_set: unable to reset channel X (, flags 0x480), hal status 3 where X and cycle through the various channels and frequencies. The associated wlan device is unable to associate with the wireless access point. Let me know if there's any other information I can provide. This card was experienced occaisional lockups in 8.0-RELEASE, and will only associate with the ath driver if the driver is compiled into the kernel - loading via a module would not work. I'm posting this here because I saw Ken Smith's comment about recent AR9280 regression and fixes on this branch. Thanks, - Craig ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Odd behavior of labels on different filesystem types
I have run into an odd behavior in 8-stable that I can't see a reason for. If I have a FAT32 formatted removable drive, I get /dev entries for it as both /dev/msdosfs/LABEL and /dev/ufsid/ID. When I mount the filesystem, the /dev/ufsid label is removed, but the other two remain. If I have a UFS filesystem on the disk, I have similar devices except that the LABEL is /dev/ufs/LABEL. But, when the UFS device is mounted, the /dev/ufsid/ID AND the /dev/ufs/LABEL devs are both deleted. I'm not sure which is "right", but I can't see the reason for the different behavior and it has caused a fair bit of trouble when working with gnome-mount as I can't unmount a ufs device. When the /dev/ufs/LABEL device is created again on the umount, gnome-mount sees a new device and immediately re-mounts it. Can this inconsistency be corrected? -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Odd behavior of labels on different filesystem types
On 07/03/2010 16:51, Kevin Oberman wrote: > I have run into an odd behavior in 8-stable that I can't see a reason > for. > > If I have a FAT32 formatted removable drive, I get /dev entries for it > as both /dev/msdosfs/LABEL and /dev/ufsid/ID. When I mount the > filesystem, the /dev/ufsid label is removed, but the other two remain. > > If I have a UFS filesystem on the disk, I have similar devices except > that the LABEL is /dev/ufs/LABEL. But, when the UFS device is mounted, > the /dev/ufsid/ID AND the /dev/ufs/LABEL devs are both deleted. > > I'm not sure which is "right", but I can't see the reason for the > different behavior and it has caused a fair bit of trouble when working > with gnome-mount as I can't unmount a ufs device. When the > /dev/ufs/LABEL device is created again on the umount, gnome-mount sees a > new device and immediately re-mounts it. > > Can this inconsistency be corrected? Can you try to zero out that disk first i.e. dd if=/dev/zero of=/dev/DISK bs=4m Then format your msdos fat part and relabel it. You should not see a dev/ufsid/ label for this anymore. I believe that for some reason the ufsid metadata or whatever you want to call it some how has been left behind and is still being read for whatever reason and can be confirmed by this. As for /dev/ufs/LABEL /dev/ufsid/ID /dev/device when you mount one the others should disapear so this is correct behavior. -- +-+-+-+-+-+ |j|h|e|l|l| +-+-+-+-+-+ ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
